HP-UX Secure Shell A.04.70.021, A.04.70.022, and A.04.70.023 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software

• The sshd daemon defaults to SSH Protocol 2 in new installations. There are no changes to

existing installations.

• The SSH channel window size has been increased, and both the ssh command and the sshd

daemon now send window updates more aggressively, thereby improving performance on

high-BDP (Bandwidth Delay Product) networks.

• The ssh command and the sshd daemon now preserve MAC contexts between packets.

This saves two hash calls per packet and results in 12-16% speedup for arcfour256 and

hmac-md5 algorithms.

• A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com".

UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5.

• A new -K option is added to the ssh command that enables GSSAPI-based authentication

and forwarding (delegation) of GSSAPI credentials to the server by setting

GSSAPIAuthentication=Yes

• Failure to establish an ssh TunnelForward is now treated as a fatal error when the

ExitOnForwardFailure option is set.

• The ssh command returns a sensible exit status if the control master process exits

unexpectedly.

Support for the Sftpfilecontrol Patch

HP-UX Secure Shell supports the Sftpfilecontrol patch. This patch enables administrators

to set the umask on sftp sessions and to control whether the client may issue chown and chmod

commands in an sftp session. As a result, the following server configuration directives

(/opt/ssh/etc/sshd_config) related to Sftpfilecontrol are supported in this release:

• #SftpUmask

• #SftpPermitChmod yes

• #SftpPermitChown yes

This patch supersedes the sftplogging patch for HP-UX Secure Shell versions A.04.50 and

higher.

Defects Fixed in OpenSSH4.7p1

This section lists the defects fixed in OpenSSH4.7p1. HP-UX Secure Shell versions A.04.70.021,

A.04.70.022, and A.04.70.023 are based on OpenSSH4.7p1 and include these defect fixes. Table 1-2

lists the defects fixed in OpenSSH4.7p1.

Table 1-2 Defects Fixed in OpenSSH4.7p1

Defect FixDefect Identifier

Patched the ProxyCommand in ssh to allow host-based authentication to work with

it.

Bugzilla #616

Modified the scp command to skip FIFO files rather than hang.

Bugzilla #856

Enabled the scp command to process non-printing characters in filenames.

Bugzilla #891

Enabled SIGINT in the sshd daemon's privilege separation child process to ensure

that wtmp and lastlog records are correctly updated.

Bugzilla #1196

Provided better error messages for scenarios where GSSAPI libraries support multiple

mechanisms.

Bugzilla #1220

Provided a better description for the -d option in the ssh-add((1)) manpage.

Bugzilla #1224

Rearranged and tidied up GSSAPI code, removing server-only code being linked into

the client.

Bugzilla #1225

Fixed the scp command so that it does not truncate FIFO files while copying the file.

Bugzilla #1236

8 HP-UX Secure Shell A.04.70.021, A.04.70.022, and A.04.70.023